DevSecOps: The Keys to Success

Although there's widespread agreement that addressing security early in the software development cycle is an essential component to any breach prevention strategy, implementing DevSecOps can prove challenging.

DevSecOps, which melds security into the DevOps function, requires collaboration among the development, security and operations groups, fully involving each in all aspects of the project, says Satyavathi Divadari, vice president of information security risk management, at Wells Fargo, India.

"The development team must make an effort to build secure software," says U.S.-based Sameer Shelke, co-founder and CTO at Aujas, a global information risk management solution provider. "I also feel they have to have a notion of a security champion. Not everybody in the development team will have security knowledge. So there has to be that one person who has the security know-how and works with other developers in the team to take ownership of security." (See: Leveraging a Next-Generation SOC to Enhance Threat Detection)

The Challenges

"Unfortunately, some organizations still believe in the notion that incorporating security earlier in and throughout the process of a development cycle will delay quick rollout of innovative new applications," Khullar says. "But when an organization speeds up development by skipping steps meant to identify flaws in untested code, it exposes itself in ways that would have been unthinkable under traditional development models."

Nearly 60 percent of data breaches worldwide in the past two years were related to exploiting a known software vulnerability that was not yet patched, Divadari says. Most notably, the massive Equifax breach involved such an exploit.

The DevSecOps model can help to avoid releasing software with vulnerabilities that pave the way for breaches.

"The DevSecOps model identifies the security vulnerabilities in the initial phases of the development cycle - planning, design and coding," Divadari explains.

Evolution of DevSecOps

DevOps, a software engineering culture and practice that aims at unifying software development and software operation, is becoming more common. But too often, security is an afterthought, says Sajan Paul, director, systems engineering, India and SAARC at Juniper Networks.

"Businesses now have a continuous development environment. Ecommerce websites see high traffic every day. In such an environment, it's not practical to have security outside the software system," Paul says. "If a CISO comes in later, he will implement SIEM along with SOC to keep a check on the red flags. However, this model is not scalable beyond a point and fails to address the requirements of new age digital companies."

The below graph shows the security testing challenges faced by firms.

Source: Synopsys

Security teams must determine if existing security tools can be integrated into a DevSecOps environment, identify alternative tools where needed and pinpoint procedures or controls that have to be updated or adapted, security experts advise.

A DevSecOps model requires standardized security practices, stresses Siddharth Shankar Agarwal, vice president of engineering at Zapr, India's largest media-based audience platform. "This will help in following the basic security practices irrespective of the software used," he says. "Both security and development teams must agree on libraries [to be used for the] development of code and security audits. The focus must be on automating security code review."

Khullar says that his firm made the decision to shift from DevOps to DevSecOps because of the speed with which it has to deliver services to customers.

"For organizations like Paytm, security outside of DevOps does not work. It limits the speed at which we want to reach out to our customers," he says. "Earlier, the security team got involved when a product was complete. Since security could not be compromised, we often had to wait a long time to market a product as we wanted to make sure it met our security standards."

As organizations move to adopt DevSecOps, Khullar suggests that they take the following steps:

Adapt the security testing tools and processes to the developers, not the other way around;

Focus on identifying and removing zero-day/critical vulnerabilities;

Train all developers on the basics of secure coding.

Not Always the Right Choice

Despite the benefits, using DevSecOps isn't always appropriate.

"Software with very high quality requirements, such as critical infrastructure controllers that may need formally or semi-formally validated security, will likely not work in DevSecOps," says Gerald Beuchelt, CISO at LogMeIn, a provider of software as a service and cloud-based remote connectivity services for collaboration. "Similarly, environments that have generally a low or zero tolerance for failure, such as financial transaction systems, national defense systems, electric power grid controllers, or life-support technology would in many cases not be ideal candidates for an unmodified DevSecOps approach."

Agarwal also notes that in certain sectors, such as financial services, healthcare and manufacturing, government regulations may restrict what can be done in some parts of the production environment.

"DevSecOps covers only one aspect of security, and not all security can be run in this manner," adds U.K.-based Steve Marshall, CISO and head of cyber consulting at Bytes Software Services .

The security element in DevSecOps is technical security and not corporate or information security, he notes. As a result, the corporate and information security teams must continue to act independently within an organization, he says.

"Therefore, it is advisable to embed only the technical security teams within the DevOps teams," Marshall says. "It is at this point one needs to consider if this change of function and role may require a completely different skill set than what traditional technical security teams have."

There are other challenges as well. "Developers think they can rely on automated security tooling to solve their issues, but they can't," says Pieter Danhieux, CEO, Secure Code Warrior, a cybersecurity company. "A second problem is most modern development makes use of a myriad of coding stacks, some of them quite new. Usually, these new frameworks are not supported yet by some of the security tooling (such as AST). This is another reason why it is vital that the developers themselves have secure coding skills, because the tools will never cover everything from a coding language perspective."

About the Author

Suparna Goswami is principal correspondent at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.